the art of defiling · fisting implementations nrune fs nstores data in the Òbad blocksÓ file...
TRANSCRIPT
The Art of Defiling
Defeating Forensic Analysison Unix File Systems
the grugq
Overview
n Introduction
n Unix File Systems
n Forensics
n Anti-Forensics
n Demonstration
n Q & A
Introduction
n Who I amn grugq
n What I don Write intrusion prevention software
n Break forensic tools
n Why anti-forensics?n Security is an arms race
n Trend of increased forensics
n Trend of increased anti-forensics
Unix File Systems
n Overview of a unix file system
n Super-Blocks
n Data Blocks
n Inodes
n Directory Files
SB inodetable
datablocks
File System Overview
n Two main parts to any file system
n Filesn Meta data
n Time stamps, ownership, permissions, etc.
n Datan Disk blocks organised as byte streams
n Meta data filesn Organise data files for human reference
File System
n Superblockn Describes the file system
n Known Location
n Data Blockn Data blocks store…. data!
n Block is the lowest atomic component
n Multiple disk sectors per block
File Systems: inodes
n inodes are filesn Store meta data
n Time Stamps, Reference Counts, Size
n List of data blocksn block pointers
struct inode {int uid, gid;int size;int blk_cnt;int links;int block_ptrs[ BLOCK_NUM ];
}
inode structure: graphic
inode metadatasize, owner, mode etc.
Data blocks
block pointers
indirectblock
.
.
.
.
Directory files
n Create the file systemdirectory hierarchy
n Contain structures to mapnames to inodes
struct dirent {int inode;short rec_len;short name_len;
char name[];
}
0 deleted 16
12 somefile 32
13 lamefile 16
123 lastfile 128
11 lost & found 16
13 lame file 16
12 somefile 32
123 lastfile 128
0 deleted 16
Forensics
n Introduction
n Data Recovery
n Data Parsing
n Data Analysis
Introduction
n Forensics defined
n Forensic Food chain..
BitstreamsEvidence
Filesystems
Files
Data Recovery
n Convert bitstream to file systemnThe Coroner’s Toolkit
n Recovers deleted files
nTCT Utilsn Examine deleted directory entries
n Total file system awarenessnRead “deleted” data
Data Parsing
n Convert file systems into evidencecandidates -- files
n File content requires understanding fileformatsn Email, jpeg, .doc, ELF, etc
Data Analysis
n Keyword searchesn Extract “evidence” from datan JPEG files containing illegal images
n Log files containing access information
Anti-forensics
n Data is evidencen Anti-Forensic Theoryn Data Destruction
n Data Hiding
nData Contraception
“Attempting to limit the quantity andquality of forensic evidence (since 1999)”
Data Destruction
n Deleted file residuen Dirty inodes
n Directory entries
n Dirty data blocks
n File System Activityn inode time stamps
The Defiler’s Toolkit
n Necrofilen Sanitize deleted inodes
n Klismafilen Sanitize directory entries
Before and after
Data Hiding
n Requirementsn Theoryn Implementationsn Demos
“Aspire to subtlety”
Data Hiding – Requirements
n Covert
n Outside the scope of forensic toolsn Temporarily – ergo, insecure long term storage
n Reliablen Data must not disappear
n Securen Can't be accessed without correct tools
n Encrypted
Data Hiding Theory
“Ladies and Gentlemen, I'm hereto talk about FISTing”
Filesystem Insertion & SubversionTechnique
n FISTing is inserting data into places itdoesn't belong
n Data storage in meta-data filesn e.g. Journals, directory files, OLE2 files, etc.
n Modifying meta-data is dangerous!n What holes can you FIST?
Holes for FISTing
FS Specification
fsck
forensics kernel
FIST here
FISTing implementations
n Rune FSn Stores data in the “bad blocks” file
n Waffen FSn Stores data in the ext3 journal file
n KY FSn Stores data in directory files
Rune FS
n Bad Blocks inode 1, root ('/') inode 2n Exploits (historically) incorrect ext2
implementation within TCTn Up to 4GB storagen TCT pseudo code (old):
if (inode < ROOT_INODE || inode > LAST_INO)return BAD_INODE;
n Just a regular inode file
Waffen FS
n Adds an ext3 journal to an ext2 FS
n Exploits e2fsck (and lame forensic tools)n e2fsck supports both ext2 & ext3nHas to guess which FS it's looking at
n Usually 32Mb storage (average journal sz)
n e2fsck pseudo code:for (j_ent = journal; ; j_ent += j_ent->size)
if (IS_VALID(j_ent) == FALSE) /* end of the journal */return JOURNAL_OK;
n Regular file with a fake journal meta-data
KY FS
n Utilizes null directory entries
n Exploits the kernel, e2fsck & forensic tools
n Storage space limited by disk size
Kill Your File System
KY FS details
n Kernel + fsck pseudo code:for (dp = dir; dp < dir_end; dp += dp->rec_len)
if (dp->inode == 0) /* is deleted? */continue;
n Forensic tools pseudo code:if (dp->inode == 0 && dp->namelen > 0)
/* recover deleted file name */
Data Contraception
n Better not to create data than to destroy itn Prevent data from ever being stored on
diskn Use common Unix utilities to reduce the
quality of evidence
“What is the act of not creating?”
Data Contraception: Implem.
n Rexecn Remote execution of binaries without creating
a file on diskn Uses non-exotic utilities to create a remote process
image
n Solves the bootstrapping issue for accessinghidden data storesn Reduces effectiveness of honeypots – no binaries
to “capture”
Summary
n Summarised Unix File System
n Presented overview of forensics
n Presented a methodology for anti-forensics
n Demonstrated simple mechanisms todefeat digital forensic analysis
n 0wned your file system
Q & A